Top 5 misconceptions about the new Quebec law on the protection of personal information | Stikeman Elliott LLP

With the first wave of amendments to Quebec law on the protection of personal information (“Bill 25”) taking effect September 22, 2022, we thought we would share the top 5 misconceptions we encountered when discussing the effects Bill 25 will have on businesses operating in Quebec.

Note: While Law 25 was passed a year ago, its provisions enter into force on a deferred basis in 2022, 2023 and 2024. For more information, see our previous article.

1. “We are a B2B operation, so the legislation does not apply to us”

The legislation applies to any entity that holds “Personal Information”, defined as any information relating to a natural person and allowing that person to be identified directly or indirectly. It includes information such as a person’s name, address, date of birth, government-issued identification number, or gender. It also includes an IP or MAC address of a device that can be linked to an individual as well as the individual’s browsing behavior. It is therefore difficult to imagine, given the broad definition of personal information, that a company collects, uses or discloses (“processes”) personal information in some way and that , therefore, the requirements of Law 25 do not apply to it. .

2. “I think someone in HR ensures compliance with privacy legislation”

While the HR “person” can be very competent, and in fact the best person to ensure compliance with Law 25, companies handling personal information will now be required to designate a specific person to ensure that personal information are protected. The title and contact details of this person must be published on the company’s website or made available to the public by any other appropriate means. Effective September 22, 2022, if an entity has not designated an individual, the role of Privacy Officer will automatically fall to the individual with the the highest decision-making authority, who can delegate it in writing to someone else in the organization.

3. “I think our IT department has an incident response plan”

Most IT departments have an incident response plan. A computer incident response plan is however adapted to the requirements incumbent on the IT department. This does not necessarily reflect the legal obligations a business faces following an incident involving personal information such as:

  • Determine whether the incident could lead to a risk of serious injury;
  • If the incident presents a risk of serious injury, notify the persons whose information has been compromised as well as the Commission d’accès à l’information; and
  • Record the incident in a register and keep a record of the incident for 5 years.

Having a separate incident response plan specific to personal information is essential for two reasons: first, an incident involving personal information does not have to involve IT. For example, a lost or stolen paper file containing employee names and salaries constitutes an incident and is unlikely to be covered by an IT incident response plan. Second, the thresholds used to determine the risk levels of a cyber incident are generally higher than those used to determine a risk of serious injury to an individual as a result of a compromise of their personal information.

4. “We do not share any personal information with anyone. We store it in the cloud”

Unless the company hosts its own cloud-based servers, storing personal information with an external cloud service provider is considered personal information disclosure. The company must therefore inform the individual of this disclosure. Additionally, from September 2023, the individual’s consent to this disclosure will not be required, but the company must have a data processing agreement in place where the provider offers adequate security measures to protect the personal information it receives. If the supplier is located outside of Quebec, a privacy impact assessment must be performed to ensure that the personal information will receive an equivalent level of protection.

5. “We can’t release this information because we don’t have the person’s consent”

As of September 22, 2022, a business involved in a business transaction may disclose an individual’s personal information to its counterpart without the individual’s consent. This effectively expands the “commercial transaction” exception found in federal law Personal Information Protection and Electronic Documents Act companies operating in Quebec. Law 25, however, requires the disclosing party to enter into an agreement with the receiving party in which it agrees to:

  • Use personal information only to complete the business transaction;
  • Refrain from disclosing Personal Information without the consent of the person concerned, unless authorized to do so by law;
  • Take steps to protect the confidentiality of Personal Information; and
  • Destroy the Personal Information if the transaction is not concluded or if the Personal Information is no longer necessary for the conclusion of the transaction.

Once the transaction is complete, the recipient of the Personal Information must only Process the information in accordance with Law 25 and must eventually inform the individual that they hold their Personal Information.

These 5 points relate to the most substantial changes that Bill 25 introduces in the Quebec landscape of the protection of personal information. Within a year, additional, more onerous requirements will come into effect, giving Quebec businesses the next 12 months to prepare.